What is China’s new data privacy law hoping to achieve?
The first of November marked the beginning of an apparent regulatory crackdown on data privacy violations in China, as the country’s first comprehensive privacy law (the Personal Information Protection Law) came into effect, leading to a surging demand for data protection specialists and seeing major corporations departing.
The new law, which has been compared to Europe’s GDPR by non-for-profit international privacy community IAPP (International Association of Privacy Professionals), will not only see an increase in data security, sovereignty and personal information rights, but will reshape how companies in China do business, the organization writes.
“When you look at PIPL, it is really focusing on protecting individuals, society, and national security—because of the unique Chinese political system,” says Alexa Lee, a senior manager of policy at the Information Technology Industry Council and an associate editor of Stanford University’s DigiChina project, which has been translating the PIPL into English.
The law aims to enhance cybersecurity along with complementing the country’s national security interests; therefore, companies wanting to share data outside of China must also now go through a national security review. This also goes for companies holding data on more than a million people (to send abroad), likewise for any reasonable-sized company operating in and out of China.
“If European data protection laws are grounded in fundamental rights and U.S. privacy laws are grounded in consumer protection, Chinese privacy law is closely aligned with, and I would even say grounded in, national security,” says Omer Tene, a partner specializing in data, privacy, and cybersecurity at law firm Goodwin. Reviews may include laying out why data is being transferred out of China, the types of information being sent, and the risks of doing so.
Employing a data protection officer for companies is mandatory, and if PIPL laws are breached, applicable fines can be up to $7.8 million or 5 percent of a firm’s annual revenue—roughly equivalent to GDPR’s $23 million and 4 percent thresholds.
This said, government access of citizens’ personal data will not be affected by PIPL. Chinese citizens will remain under some form of surveillance, says Wired. Government use of digital surveillance is a “take it or take it” proposition. There is no significant government consideration about how citizens feel about the blanket biometric surveillance throughout the nation. Last month however saw reports that China has approved its first AI industry ethics guidelines, which if grounded in the law could surpass the West in establishing governance rules.
Wired highlights PIPL’s potential for influence on neighboring countries which are still developing their own data protection policies, DigiChina’s Lee is concerned that other Asian countries may follow suit using data localization measures, which are already being seen in draft laws in India and Vietnam.
While IAPP compares the key types of personal information rights under the GDPR and the PIPL such as the right to erasure, right to data portability and right not to be subject to automated decision making, it remains uncertain how such rights under PIPL might be interpreted in practice and what effects PIPL will have on Chinese citizens.